AWS cross region ipsec VPN using Vyos and Amazon VPN

This has been a very challenging task but I was able to get it working after a lot of trials.

Task

You need to connect a AWS VPC running in Europe with a AWS VPC running in US.

Since i wanted to learn more about AWS I decided that i will be using the amazon VPN and connect it to a Vyatta/Vyos router running on the other end.

I will try to keep this simple.Once you have everything up and running go back and expand/secure everything.

This is not a in depth guide and i assumed you know how to setup a VPC, setup static routes ,assign IP’s etc…

VPC 1 ) Name US-VPC

IP Range : 10.100.0.0/18

Network ACL => default allow all both directions

1 public subnet 10.100.0.0/24

1 private subnet 10.100.1.0/20

1 public Route 0.0.0.0/0 => IGW

1 private route no 0.0.0/0 => nat instance

VPC 2) EU-Name EU-VPC

IP Range : 10.100.64.0/18

Network ACL => default allow all both directions

1 public subnet 10.100.64.0/24

1 private subnet 10.100.65.0/24

1 public Route 0.0.0.0/0 => IGW

1 private route no 0.0.0/0 => nat instance

You will need to have a Vyos instance running in your US VPC on the public range.

Go to EC => Launch => Community AMIs and search for Vyos. I’ve used the 64bit instance provided by https://www.crownpeak.com/ VyOS-1.1.7 – ami-63193103
Launch this instance on your US VPC inside the public range, make sure the security group allows ALL traffic from everywhere.

Once the instance is up allocate an EIP and assign it to the instance. I will assume this ip is 1.2.3.4

The last step is to disable source/destination check for the Vyos instance.

ssh the Vyos instance using the user vyos and the key used to launch it.

Switch to the EU VPC

Go to VPC

Create a new customer gateway and use the ip address you assigned to the US vyatta instance.(1.2.3.4)

Create a new Virtual Private Gateway and attach it to the VPC.

Create a new VPN connection. using the Customer Gateway and Virtual Private Gateway

Wait for the vpn to activate and download the configuration for Vyatta 6.5+

Switch to the Vyos Instance and get the eth0 ip address assigned to it. in my case 10.100.0.91 (you will need this!.)

The very first thing we need to add a static route for the entire VPC range otherwise the BGP route will never be announced.

Amazon adds a single static route on the subnet the instance was launched on and doesn’t add one for the entire VPC.